Moderate severityNVD Advisory· Published Apr 6, 2021· Updated Aug 3, 2024
CVE-2021-29136
CVE-2021-29136
Description
Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when "umoci unpack" or "umoci raw unpack" is used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/opencontainers/umociGo | < 0.4.7 | 0.4.7 |
Affected products
19- Open Container Initiative/umocidescription
- ghsa-coords18 versionspkg:golang/github.com/opencontainers/umocipkg:rpm/opensuse/singularity&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/umoci&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/umoci&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/umoci&distro=openSUSE%20Tumbleweedpkg:rpm/suse/singularity&distro=SUSE%20Package%20Hub%2015%20SP2pkg:rpm/suse/umoci&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP2pkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/umoci&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/umoci&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/umoci&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/umoci&distro=SUSE%20Manager%20Server%204.0
< 0.4.7+ 17 more
- (no CPE)range: < 0.4.7
- (no CPE)range: < 3.8.3-1.2
- (no CPE)range: < 0.4.6-lp152.2.3.1
- (no CPE)range: < 0.4.7-3.12.1
- (no CPE)range: < 0.4.7-2.3
- (no CPE)range: < 3.7.3-bp152.2.19.3
- (no CPE)range: < 0.4.6-3.9.1
- (no CPE)range: < 0.4.6-3.9.1
- (no CPE)range: < 0.4.6-3.9.1
- (no CPE)range: < 0.4.7-3.12.1
- (no CPE)range: < 0.4.6-3.9.1
- (no CPE)range: < 0.4.7-3.12.1
- (no CPE)range: < 0.4.6-3.9.1
- (no CPE)range: < 0.4.6-3.9.1
- (no CPE)range: < 0.4.6-3.9.1
- (no CPE)range: < 0.4.6-3.9.1
- (no CPE)range: < 0.4.6-3.9.1
- (no CPE)range: < 0.4.6-3.9.1
Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9m95-8hx6-7p9vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29136ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/04/06/2ghsax_refsource_MISCWEB
- github.com/opencontainers/umoci/commit/d9efc31daf2206f7d3fdb839863cf7a576a2eb57ghsax_refsource_CONFIRMWEB
- github.com/opencontainers/umoci/security/advisories/GHSA-9m95-8hx6-7p9vghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.